diff options
-rw-r--r-- | src/copy.c | 23 | ||||
-rwxr-xr-x | tests/cp/cp-a-selinux | 51 | ||||
-rwxr-xr-x | tests/cp/cp-mv-enotsup-xattr | 7 |
3 files changed, 49 insertions, 32 deletions
diff --git a/src/copy.c b/src/copy.c index 3c32fa311..0fa148e4c 100644 --- a/src/copy.c +++ b/src/copy.c @@ -531,7 +531,8 @@ copy_reg (char const *src_name, char const *dst_name, security_context_t con = NULL; if (getfscreatecon (&con) < 0) { - if (!x->reduce_diagnostics || x->require_preserve_context) + if (x->require_preserve_context || + (!x->reduce_diagnostics && !errno_unsupported (errno))) error (0, errno, _("failed to get file system create context")); if (x->require_preserve_context) { @@ -544,7 +545,8 @@ copy_reg (char const *src_name, char const *dst_name, { if (fsetfilecon (dest_desc, con) < 0) { - if (!x->reduce_diagnostics || x->require_preserve_context) + if (x->require_preserve_context || + (!x->reduce_diagnostics && !errno_unsupported (errno))) error (0, errno, _("failed to set the security context of %s to %s"), quote_n (0, dst_name), quote_n (1, con)); @@ -1825,7 +1827,8 @@ copy_internal (char const *src_name, char const *dst_name, { if (setfscreatecon (con) < 0) { - if (!x->reduce_diagnostics || x->require_preserve_context) + if (x->require_preserve_context || + (!x->reduce_diagnostics && !errno_unsupported (errno))) error (0, errno, _("failed to set default file creation context to %s"), quote (con)); @@ -1839,15 +1842,15 @@ copy_internal (char const *src_name, char const *dst_name, } else { - if (!errno_unsupported (errno) || x->require_preserve_context) + if (x->require_preserve_context || + (!x->reduce_diagnostics && !errno_unsupported (errno))) { - if (!x->reduce_diagnostics || x->require_preserve_context) - error (0, errno, - _("failed to get security context of %s"), - quote (src_name)); - if (x->require_preserve_context) - return false; + error (0, errno, + _("failed to get security context of %s"), + quote (src_name)); } + if (x->require_preserve_context) + return false; } } diff --git a/tests/cp/cp-a-selinux b/tests/cp/cp-a-selinux index 770dcc4fc..b65070a1c 100755 --- a/tests/cp/cp-a-selinux +++ b/tests/cp/cp-a-selinux @@ -60,51 +60,60 @@ test $skip = 1 \ cd mnt || framework_failure echo > f || framework_failure -echo > g || framework_failure - +echo > g || framework_failure # /bin/cp from coreutils-6.7-3.fc7 would fail this test by letting cp # succeed (giving no diagnostics), yet leaving the destination file empty. cp -a f g 2>err || fail=1 test -s g || fail=1 # The destination file must not be empty. test -s err && fail=1 # There must be no stderr output. -rm -f g err +# ===================================================== +# Here, we expect cp to succeed and not warn with "Operation not supported" +rm -f g echo > g +cp --preserve=all f g 2>err || fail=1 +test -s g || fail=1 +grep "Operation not supported" err && fail=1 # ===================================================== +# The same as above except destination does not exist +rm -f g +cp --preserve=all f g 2>err || fail=1 +test -s g || fail=1 +grep "Operation not supported" err && fail=1 + +# An alternative to the following approach would be to run in a confined +# domain (maybe creating/loading it) that lacks the required permissions +# to the file type. +# Note: this test could also be run by a regular (non-root) user in an +# NFS mounted directory. When doing that, I get this diagnostic: +# cp: failed to set the security context of `g' to `system_u:object_r:nfs_t': \ +# Operation not supported +cat <<\EOF > exp || framework_failure=1 +cp: failed to set the security context of +EOF + +rm -f g +echo > g +# ===================================================== # Here, we expect cp to fail, because it cannot set the SELinux # security context through NFS or a mount with fixed context. cp --preserve=context f g 2> out && fail=1 - # Here, we *do* expect the destination to be empty. test -s g && fail=1 +sed "s/ .g' to .*//" out > k +mv k out +compare out exp || fail=1 rm -f g echo > g # Check if -a option doesn't silence --preserve=context option diagnostics cp -a --preserve=context f g 2> out2 && fail=1 - # Here, we *do* expect the destination to be empty. test -s g && fail=1 - -# An alternative to the current approach would be to run in a confined -# domain (maybe creating/loading it) that lacks the required permissions -# to the file type. -# Note: this test could also be run by a regular (non-root) user in an -# NFS mounted directory. When doing that, I get this diagnostic: -# cp: failed to set the security context of `g' to `system_u:object_r:nfs_t': \ -# Operation not supported -sed "s/ .g' to .*//" out > k -mv k out sed "s/ .g' to .*//" out2 > k mv k out2 - -cat <<\EOF > exp || fail=1 -cp: failed to set the security context of -EOF - -compare out exp || fail=1 compare out2 exp || fail=1 Exit $fail diff --git a/tests/cp/cp-mv-enotsup-xattr b/tests/cp/cp-mv-enotsup-xattr index 0239abbde..7e7b6456f 100755 --- a/tests/cp/cp-mv-enotsup-xattr +++ b/tests/cp/cp-mv-enotsup-xattr @@ -77,7 +77,12 @@ test -s err && fail=1 # there must be no stderr output rm -f err noxattr/a -# This should pass without diagnostics +# This should pass without diagnostics (new file) +cp --preserve=all xattr/a noxattr/ 2>err || fail=1 +test -s noxattr/a || fail=1 # destination file must not be empty +test -s err && fail=1 # there must be no stderr output + +# This should pass without diagnostics (existing file) cp --preserve=all xattr/a noxattr/ 2>err || fail=1 test -s noxattr/a || fail=1 # destination file must not be empty test -s err && fail=1 # there must be no stderr output |